General Information

On December 6, 2001 Microsoft released the original version of this bulletin. On December 7, 2001 an issue relating to file dependencies for the patch was identified and the bulletin was updated and re-released to include this information. Specifically, for this patch to function properly, the Outlook Web Access (OWA) server on which the patch is installed must have Internet Explorer (IE) 5.0 or greater installed. If the patch is installed on a system with a version of IE less than 5.0, unexpected consequences may result. The "Caveats" section has been updated to include version requirements for this patch. In addition, it contains version recommendations for dependent components that are applicable at the time of this writing. In addition, the FAQ contains remediation information for customers who have applied this patch on systems with versions of IE older than 5.0.

OWA is a service of Exchange 5.5 Server that allows users to access and manipulate messages in their Exchange mailbox by using a web browser.

A flaw exists in the way OWA handles inline script in messages in conjunction with Internet Explorer. If an HTML message that contains specially formatted script is opened in OWA, the script executes when the message is opened. Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action against the user's Exchange mailbox that the user himself was capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a specially crafted message to the user. If the user opened the message in OWA, the script would then execute.

While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail.

Mitigating factors:

A successful attack would require the victim to read the message in a IE using OWA only. The attack would fail if read in any other mail client.

A successful attack would also require knowledge of the version of OWA in use. The attack would fail on other versions of OWA.

A successful attack can only take action on the mailbox on the Exchange Server as the user. It cannot take action on the user's local machine. It cannot take actions on any other users mailbox directly. Nor can it take actions directly on the Exchange Server.

Severity Rating:

Internet Servers

Intranet Servers

Client Systems

Exchange 5.5 OWA

Moderate

Moderate

None

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. A successful attack would require specific knowledge of the potential victim's computing environment and possibly their computing habits.

Microsoft tested Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer eligible for hotfix support, and may or may not be affected by these vulnerabilities.

Why was this bulletin updated? This bulletin was updated because shortly after it was originally released on December 06, 2001 we discovered a version specific file dependency requirement in IE on the OWA server for the patch to function properly. If the patch is applied to servers that do not meet this requirement, OWA clients could experience unexpected results. We have updated the bulletin with this information. In addition, OWA has dependencies on other products on the server, specifically IE and IIS. We have made version recommendations that detail the versions of those dependent components that are currently supported for security patches at the time of this writing. Finally, we have included remediation information for customers who have deployed the patch on systems that do not meet the IE version requirements.

What's the scope of the vulnerability?This vulnerability could enable an attacker to run script of his choice against a user's Exchange mailbox by embedding script in any mail message. When activated, such a malicious message would be capable of taking any action that the user himself could take on the mailbox, including adding, changing, or deleting data in the mailbox.

What causes the vulnerability?The vulnerability results because the content filtering feature in OWA can fail to detect script in some instances. When a valid message is intentionally designed to obfuscate the presence of script, it is still possible for that script to execute.

What is Outlook Web Access (OWA)?OWA is a feature in Exchange 5.5 and 2000 that allows users to access their email via a web browser instead of a mail client. Essentially, OWA makes an Exchange server also function as a web site that lets authorized users read or send mail, manage their calendar, or perform other mail functions via the Internet.

What's the problem with how OWA handles message script when using IE?When OWA processes a user request to retrieve a mail message, it is possible to embed script in a particular way so that OWA does not filter it correctly causing the script to execute.

Is it possible to craft an HTML mail message like this by accident?No. It is not possible to create a document that bypasses script filtering by accident. It would require very specific, detailed knowledge and such a message would have to be specifically constructed with malicious intent.

Are all versions of OWA are vulnerable?No. The vulnerability only affects OWA in Exchange 5.5.

Does this vulnerability affect Outlook or Outlook Express?No. The vulnerability only affects Outlook Web Access. It does not affect any of the Outlook or Outlook Express clients.

Does this vulnerability affect all browsers using OWA?No, the issue only occurs when using IE with OWA. No other browsers are affected.

What would this vulnerability enable an attacker to do?The message would be able to take any action that the user could take on his Exchange mailbox. This could include manipulating messages or folders with complete control.

How might an attacker use this vulnerability?To exploit this vulnerability, an attacker would have to construct a specially crafted message and send it to the intended victim as a mail message. The intended victim would have to use OWA to open the mail message. It's important to note that if the user were to open the message in the Outlook client, the attack would fail. Because the attack would require a user to use a specific mail client, a significant degree of social engineering would be required to successfully exploit this vulnerability.

What does the patch do?The patch eliminates the vulnerability by changing the way that OWA handles inline script. After the patch is applied, OWA strips inline script before sending the messages to IE.

What servers should I install the patch on?This patch is intended only for servers that are running the Exchange 5.5 OWA service on IIS. You do not need to install this patch on servers that are not running the Exchange 5.5 OWA service on IIS.

Can you clarify this? Do I install this on my Exchange servers?Not exactly. You install this patch on your OWA server. The OWA server is an IIS server with the OWA service installed. Depending on your configuration, your OWA server may or may not also be running Exchange. In some configurations, the OWA Server will also be running Exchange. In this configuration, you would apply the patch to this server because it is running OWA. In other configurations, the OWA Server connects to a different server running Exchange without OWA. In this configuration, you would apply the patch to the OWA server but not apply it to the Exchange server without OWA. You do not apply this patch to Exchange servers without OWA, only to servers running OWA.

Isn't this the same issue that you patched in MS01-030?No. It is similar, but different. The issue in MS01-030 related to the ability of an HTML attachment to execute script. This issue relates to the ability of script that is specially embedded in the body of the message itself to execute.

But in the FAQ for MS01-030, you said that OWA strips potentially dangerous content from mail messages. Doesn't this contradict that statement?Not exactly. By design, OWA on Exchange 5.5 and Exchange 2000 do strip potentially dangerous content from the body of mail messages. This flaw, which affects only Exchange 5.5, allows certain specially crafted HTML mail messages to by-pass that protection.

What is the version requirement discussed in this bulletin? How is it different from the regular OWA requirements?The version requirement listed under the "Caveats" section is a requirement over and above the base requirements for the Exchange 5.5 OWA service. To install this patch successfully on an OWA server, it must meet both the base requirements and this additional requirement. Installing this patch on a system that does not meet the version requirement in this bulletin can lead to unexpected results.

My server doesn't meet this requirement, what should I do to install this patch?If you server does not meet the IE requirement for this patch, you should first upgrade your server and then apply the patch.

What version should I upgrade to? Is it OK to just upgrade to IE 5.0?If you upgrade to IE 5.0, you will be able to install the patch successfully. However, as noted in recent IE bulletins, such as MS01-055, versions older than IE 5.5 SP2 are no longer eligable for hotfix support, as of the time of this writing. Because of this, it is recommended that you upgrade to IE 5.5 SP2 or greater, to ensure that you are eligible for hotfix support for IE.

I'm confused, do I have to upgrade IE on my OWA clients or my OWA server?You have to upgrade the OWA server. The version requirement for this patch is ONLY for the server, not for the clients.

What are the version recommendations discussed in this bulletin? How are they different from the regular OWA requirements?The Exchange 5.5 OWA Service has dependencies on both IE and IIS. While these dependencies are met by meeting OWA's stated requirements, the versions listed for those requirements are outside of security hotfix support as discussed in MS01-055 for IE and MS01-044 for IIS. Because of this, to ensure that all dependent components are eligible for security hotfix support, we have included version recommendations. As of the time of this writing, these recommendations are versions that are eligible for security hotfix support. It is recommended that customers meet these version recommendations, over and above the base OWA recommendations, to fully secure their systems.

I installed the patch on a system that doesn't meet the patch's version requirements, what can I do to fix this?If you have installed the patch on an OWA server that doesn't meet the version requirement, you can upgrade IE to version 5.0 or greater. However, as noted in this bulletin, it is recommended that you upgrade to a version that is eligible for security hotfix support. At the time of this writing, this is IE 5.5 SP2 or greater.

I've followed the instruction above and I'm still having problems, what should I do now?If you are still having problems as a result of the patch, contact Microsoft Product Support Services. All calls related to security patches are free of charge. There's information on how to contact Product Support Services at: http://www.microsoft.com/support

To verify the individual files, use the date/time and version information provided in the KB Article

Caveats:

Version Requirements for Dependent Components for this patch:

To install successfully, this patch requires that the OWA server have IE 5.0 or greater installed.

Version Recommendations for Dependent Comonents for OWA:

At the time of this writing, the following versions are recommended for dependent components on the OWA server:

IIS

IIS Version 4.0 on Windows NT 4.0 SP5 or greater

IIS Version 5.0 on Windows 2000 SP1 or greater

IE:

IE Version 5.5 SP2

IE Version 6.0

Localization:

Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".

Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Lex Arquette of WhiteHat Security for reporting this issue to us and working with us to protect customers.

Support:

Microsoft Knowledge Base article Q313576 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (December 06, 2001): Bulletin Created.

V1.1 (December 07, 2001): Bulletin revised to correct spelling errors and to provide further clarification in the FAQ regarding where to apply the patch.

V2.0 (December 07, 2001): Bulletin updated and republished to discuss version requirements and recommendations for installing the patch as well as including remediation steps for customers who have applied the patch on systems that do not conform to those requirements.